Credential Stuffing: Why Password Reuse is not a Good Idea

It’s no news that the sum of money invested in cybersecurity by industries across numerous verticals has skyrocketed over the past decade. Yet, a sizeable number of these enterprises continue to suffer cyber-attacks, mostly as a result of employees’ dereliction of their duty. Credential stuffing is one of the many techniques at the disposal of cyber threat actors and its rise to popularity can be attributed to its simplicity and the difficulty in its detection, using standard security controls.

The operation behind credential stuffing is utterly laid on the line – threat actors take a massive collection of compromised usernames and passwords (some of which can be found for free on the dark web or obtained from a corporate mega breach) and load them into a malicious bot program with a view to reusing them to access other online services in the knowledge that users typically reuse credentials across multiple web applications. Given this reality, it is important for end users to become conscious of the threat posed by credential stuffing, as it isn’t going away anytime soon. Its scope and sophistication will continue to evolve over time, as most cyber threats do.

The operation behind credential stuffing is utterly laid on the line – threat actors take a massive collection of compromised usernames and passwords (some of which can be found for free on the dark web or obtained from a corporate mega breach) and load them into a malicious bot program with a view to reusing them to access other online services in the knowledge that users typically reuse credentials across multiple web applications. Given this reality, it is important for end users to become conscious of the threat posed by credential stuffing, as it isn’t going away anytime soon. Its scope and sophistication will continue to evolve over time, as most cyber threats do.

In Akamai’s 2019 State of the Internet report, it was disclosed that the “retail sector” was a top target for credential stuffing attacks. This emerging trend in the retail industry has seen a use of “all in one bots” (AIO Bots) to perform credential stuffing. These bots bypass security controls for online retail accounts and use compromised accounts to make transactions.

It’s worth mentioning that the financial sector has also had its fair share of credential stuffing attacks. In 2018, it was reported that UK financial giants, HSBC recorded a security incident which affected an undisclosed number of its customers. The bank’s data breach notification letter, described an incident which fits perfectly into the narrative of a credentials stuffing attack. This year, another major incident facilitated by credential stuffing was reported by Dunkin Donuts. Unsurprisingly, it was the second credential-stuffing attack suffered by the fast food chain in three months. Although, Dunkin’s successfully prevented some malicious login attempts into DD Perks accounts (Dunkin’s loyalty program), they however admitted that, threat actors may have successfully breached user accounts, in situations where username and passwords had been reused on digital accounts unrelated to Dunkin’s Donuts.

In fact, it can be deduced that when set in motion these attacks are virtually unstoppable. If the odds of successfully orchestrating credential stuffing attacks are significant, what are the chances of mitigating this fast rising threat? At this rate, the outcome of a staged attack is largely dependent on whether or not an end user/employee has done enough to secure their account by avoiding password reuse across digital platforms. More so, it’s worth mentioning that security experts have a big role to play in mitigating these threats, through relentless end user awareness and by enforcing the use of two factor authentication across web based applications.

For such a straightforward technique, credential stuffing can be very problematic to deal with. So the next time you want to sign up across multiple digital platforms, remember to keep your passwords unique, use two-factor authentication when provided the option, and try not to get pwned!